Saturday, May 22, 2010

Microcosm & Macrocosm: Reflections on 2010 IEEE Symposium on Security & Privacy; Q & A on Cloud, Cyberwar & Internet Freedom w/ Dr. Peter Neumann

Ross Anderson and Steven Murdoch of University of Cambridge accept 2010 IEEE Symposium of Security & Privacy Best Practical Paper Award

Microcosm & Macrocosm: Reflections on 2010 IEEE Symposium on Security & Privacy; Q & A on Cloud, Cyberwar & Internet Freedom w/ Dr. Peter Neumann

By Richard Power

The 2010 IEEE Symposium on Security and Privacy, held in Oakland, California, marked the 30th anniversary of this prestigious event.

Carl Landwehr, Program Director for the National Science Foundation, Senior Research Scientist at University of Maryland Institute for Systems Research (and Editor in Chief of IEEE Security & Privacy Magazine) received two awards: IEEE Computer Society Distinguished Service Award and Computer Society Technical Committee on Security and Privacy Outstanding Community Service Award.

Jerry Saltzer, Professor Emeritus of the M.I.T. Computer Science and Artificial Intelligence Lab (CSAIL), received the National Computer Security Award. Previous recipients include Jim Anderson, Dennis Branstad, Steven Bellovin, David Clark, Robert Courtney, Dorothy Denning, Whit Diffie, Virgil Gligor, Martin Hellman, Butler Lampson, Peter Neumann, Donn Parker, Ron Rivest, Roger Schell, Mike Schroeder, Eugene Spafford, Walter Tuchman, Steve Walker, and Willis Ware.

The "Best Paper" award went to Margarita Osadchy, Benny Pinkas, Ayman Jarrous, Boaz Moskovich of Univesity of Haifa for "CiFI - A System for Secure Face Identification."

The "Best Student Paper" award went to "TaintScope: A Checksum-Aware Directed Fuzzing Tool for Automatic Software Vulnerability Detection" by Tielei Wang, Tao Wei and Wei Zou of Peking University, and Guofei Gu of Texas A & M University

The award for "Best Practical Paper," sponsored by IEEE Security and Privacy Magazine, went to Ross Anderson, Steven Murdoch, Saar Drimer and Mike Bond of the University of Cambridge for Chip and PIN is Broken. This work describes and demonstrates "a protocol flaw which allows criminals to use a genuine card to make a payment without knowing the card’s PIN, and to remain undetected even when the merchant has an online connection to the banking network. The fraudster performs a man-in-the-middle attack to trick the terminal into believing the PIN verified correctly, while telling the card that no PIN was entered at all." (For more information and the full paper, go Ross Anderson's blog, Light Blue Touchpaper, 2-11-10)

As mentioned in my previous post on this year's Symposium, there were 31 papers presented in the course of the three day event. These papers explored ten research areas, from Malware Analysis (e.g., Automated Extraction of Proprietary Gadgets from Malware Binaries) and Network Security (e.g., Round-Efficient Broadcast Authentication Protocols for Fixed Topology Class) to Systemization II (e.g., Bootstrapping Trust in Commodity Computers) and Analyzing Deployed Systems (e.g., Experimental Security Analysis of a Modern Automobile).

Such research is vital, and it is always inspiring to listen to the fruits of this worthy labor. But I confess that as I sat through session after session, I found myself drawing back to contemplate the big picture, as I have been doing in my writings and talks over the last few years. (See, for example, Starting Over After A Lost Decade, In Search of a Bold New Vision for Cyber Security (Cerias Security Seminar, 9-30-09) and Red Pill? Blue Pill? Ruminations on the Intersection of Inner Space and Cyber Space (CSO Magazine, 10-23-09).

As I scanned the overflowing audience, I saw Peter Neumann hunched over his laptop, and sitting in the last row. So I asked him to give me his insights on the three big pictures questions I have been mulling over.

Q: At this year's RSA conference, I was struck by one keynote speaker after another, declaring the "cloud" as the future, and exhorting everyone to hurry into the "cloud" where we will find security much easier to attain, and everything will be better. Who is "we" is hard to answer in the cloud. Who is securing who, and what else are they doing? These are real concerns. Could you talk about the cyber security and privacy implications of "Cloud computing"?

Peter Neumann: Yes, I noticed Scott Charney, Howard Schmidt, Janet Napolitano extolling the wonders of cloud computing, and so many vendors saying they had it all under control. This is sheer and utter nonsense. Having to trust untrustworthy third- and fourth-party vendors, some of whom you do not even know exist (cf. Les Lamport's definition of a Distributed System) is ridiculous, given that the infrastractures, the computer systems, and the authentication processes are not trustworthy. Confidentiality and privacy may be least of our concerns, compared with system integrity, denials of service attacks, the lack of traceability and attribution, the lack of meaningful audit trails, and so on.

Q: The term "Cyberwar" is taking on a life of its own. You and I discussed "information warfare" well over a decade ago. What would you like to say about this term "cyberwar" and what it purports to describe? Overly hyped? Something different than the issues we have been dealing with all along in the struggle to secure cyberspace? Both?

Neumann: Cyberwar is indeed an overly hyped concept. The "war" on terrorism is a bad enough metaphor, but "cyberwar" is even worse. Who is the enemy? As Pogo once said, "We have met the enemy, and he is us." We will never completely secure "cyberspace", and the "enemy" will always have many advantages. However, we could do much better than we do at present. Also, take a look at my paragraph on the misuse of "cyber" (which is a combining form, not a noun or an adjective) on my website: (I just put up a new limerick on "metrics" also.)

Q: Spaf said something to me awhile ago, that perhaps there will be no Internet readily and freely accessible ten or twenty years into the future. I used to jokingly tell people that although the proverbial "they" succeeded in burning down the library of Alexandria, the proverbial "they" won't be able to due the equivalent to the Internet ... Ha ha ... Now I wonder. For example, the battle over net neutrality could be won in the legislatures but lost in the cloud, couldn't it? Net neutrality, government censorship, the mysterious hidden workings of the cloud, do these threaten the future freedom and evolution of the internet as a global commons? And is there any hope?

Neumann: On "network neutrality," unless the lobbyists' control over Congress ceases, legislative solutions will continue to be largely misguided in this area. But even if legislation were to become sensible here, you are correct -- it could still be lost in the clouds. Is there any hope? Yes, of course, we have to retain some modicum of optimism, but it must be accompanied by a radical shift in the entire culture by which mediocre systems with short-sighted requirements and short-sighted development practices abound. Think about BP's practices in the Gulf, and the financial industry, and you have an approximation for the computer industry and practice.

In conclusion, Neummann added, "This is off the top of the head, and reflects just a few of my holistic concerns. The picture requires much greater total-system long-term thinking than is used today."

As always, Neumann's thinking is both provocative and profoundly insightful.

And as always, if industry and government choose to ignore him, they do so not only at their own peril, but at the peril of all.

Of course, the Cloud is now inevitable; after all, it has been decreed by the captains of industry. Yes, it will offer both challenges and opportunities. But we should not sell it to ourselves as a security strategy, we should not fool ourselves, it is simply another dimension of risk added to the many dimensions of risk we are already operating within.

In regard to the term "Cyberwar," my views are somewhat complex, and contradictory, I find myself promoting it in some contexts, and debunking it in others, depending upon the misconceptions that dominate the space of the discussion.

And the future of the Internet? Well, the future of the Internet as a free and open cyberspace is nothing less than the future of human civilization; not necessarily the future of the human race, but of human civilization, or perhaps more precisely anything worthy of being called a "human civilization." Therefore, it is too important to be left to industry and government, or both, at least as long as there is a revolving door between the two, and especially while all other voices are without counter-balancing influence.

Preserving a free and open Internet, and making it accessible for the private use of all humans is both a security issue and a human rights issue; and increasingly, in the 21st Century, security issues and human rights issues are becoming interdependent, and as in other arenas of human endeavor, we can no long allow commercial interests to trump security and human rights concerns.

See Also

CyLab Research has Powerful Impact on 2010 IEEE Security & Privacy Symposium

RSA 2010: Lost in the Cloud, & Shrouded in the Fog of War, How Far Into the Cyber Future Can You Peer? Can You See Even Beyond Your Next Step?